[187951] in North American Network Operators' Group
Re: google search threshold
daemon@ATHENA.MIT.EDU (Philip Lavine via NANOG)
Mon Feb 29 10:56:18 2016
X-Original-To: nanog@nanog.org
Date: Mon, 29 Feb 2016 15:53:54 +0000 (UTC)
To: Damian Menscher <damian@google.com>
In-Reply-To: <CABSP1OeTme13JiOaySiQfJFtjDGT+TdZOi5mvNTKsoKFYP5fvg@mail.gmail.com>
From: Philip Lavine via NANOG <nanog@nanog.org>
Reply-To: Philip Lavine <source_route@yahoo.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I have about 2000 users behind a single NAT. I have been looking at netflow=
, URL filter logs, IDS logs, etc. The traffic seems to be legit.=20
I am going to move more users to IPv6 and divide some of the subnets into d=
ifferent NATS and see if that alleviates the traffic load.
Thanks for the advice.
-Philip
From: Damian Menscher <damian@google.com>
To: Philip Lavine <source_route@yahoo.com>=20
Cc: "nanog@nanog.org" <nanog@nanog.org>
Sent: Friday, February 26, 2016 6:05 PM
Subject: Re: google search threshold
=20
On Fri, Feb 26, 2016 at 3:01 PM, Philip Lavine via NANOG <nanog@nanog.org> =
wrote:
Does anybody know what the threshold for google searches is before you get =
the captcha?I=C2=A0 am trying to decide if I need to break up the overload =
NAT to a pool.
There isn't a threshold -- if you send automated searches from an IP, then =
it gets blocked (for a while).
So... this comes down to how much you trust your machines/users.=C2=A0 If y=
ou're a company with managed systems, then you can have thousands of users =
share the same IP without problems.=C2=A0 But if you're an ISP, you'll like=
ly run into problems much earlier (since users like their malware).
Some tips:=C2=A0=C2=A0 - if you do NAT: try to partition users into pools s=
o one abusive user can't get all your external IPs blocked=C2=A0 - if you h=
ave a proxy: make sure it inserts the X-Forwarded-For header, and is restri=
cted to your own users=C2=A0 - if you're an ISP: IPv6 will allow each user =
to have their own /64, which avoids shared-fate from abusive ones
Damian (responsible for DDoS defense)--=C2=A0Damian Menscher :: Security Re=
liability Engineer :: Google :: AS15169
